From e955a7f460adadf54da7bfb62f04cbff16ca5941 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 7 Feb 2023 14:16:11 +0900 Subject: [PATCH 1/2] udevd: configure a child process name for worker processes This effectively reverts commit ff86c92e3043f71fc801cf687600a480ee8f6778, and re-apply 49f3ee7e74c714f55aab395c080b1099fc17f7fd. The change was dropped due to the process name was not correctly logged, but the issue was fixed by dd15e4cb57129b915e01495e113696bfe0b70214. Let's set the child process name again. --- src/udev/udevd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/udev/udevd.c b/src/udev/udevd.c index 6fb0305e09..c6d24d9c36 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -807,7 +807,7 @@ static int worker_spawn(Manager *manager, Event *event) { if (r < 0) return log_error_errno(r, "Worker: Failed to enable receiving of device: %m"); - r = safe_fork(NULL, FORK_DEATHSIG, &pid); + r = safe_fork("(udev-worker)", FORK_DEATHSIG, &pid); if (r < 0) { event->state = EVENT_QUEUED; return log_error_errno(r, "Failed to fork() worker: %m"); From f3f2d02e9731e65eb15c26980305cd47e028f4fc Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 7 Feb 2023 14:33:06 +0900 Subject: [PATCH 2/2] tree-wide: set FORK_RLIMIT_NOFILE_SAFE flag No functional changes, just refactoring. --- src/fsck/fsck.c | 5 +---- src/import/pull-common.c | 5 +---- src/journal-remote/journal-remote-main.c | 4 +--- src/libsystemd/sd-bus/bus-socket.c | 5 +---- src/nspawn/nspawn-setuid.c | 5 +---- src/shared/exec-util.c | 9 ++------- src/udev/udev-event.c | 4 +--- 7 files changed, 8 insertions(+), 29 deletions(-) diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c index 37fdfa540f..e25c5d5efa 100644 --- a/src/fsck/fsck.c +++ b/src/fsck/fsck.c @@ -27,7 +27,6 @@ #include "path-util.h" #include "proc-cmdline.h" #include "process-util.h" -#include "rlimit-util.h" #include "signal-util.h" #include "socket-util.h" #include "special.h" @@ -346,7 +345,7 @@ static int run(int argc, char *argv[]) { pipe(progress_pipe) < 0) return log_error_errno(errno, "pipe(): %m"); - r = safe_fork("(fsck)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); + r = safe_fork("(fsck)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &pid); if (r < 0) return r; if (r == 0) { @@ -395,8 +394,6 @@ static int run(int argc, char *argv[]) { cmdline[i++] = device; cmdline[i++] = NULL; - (void) rlimit_nofile_safe(); - execv(cmdline[0], (char**) cmdline); _exit(FSCK_OPERATIONAL_ERROR); } diff --git a/src/import/pull-common.c b/src/import/pull-common.c index 6980f12a79..c8a3bf370e 100644 --- a/src/import/pull-common.c +++ b/src/import/pull-common.c @@ -16,7 +16,6 @@ #include "process-util.h" #include "pull-common.h" #include "pull-job.h" -#include "rlimit-util.h" #include "rm-rf.h" #include "signal-util.h" #include "siphash24.h" @@ -415,7 +414,7 @@ static int verify_gpg( gpg_home_created = true; - r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); + r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &pid); if (r < 0) return r; if (r == 0) { @@ -446,8 +445,6 @@ static int verify_gpg( _exit(EXIT_FAILURE); } - (void) rlimit_nofile_safe(); - cmd[k++] = strjoina("--homedir=", gpg_home); /* We add the user keyring only to the command line arguments, if it's around since gpg fails diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c index 29f05891f5..7df264fb53 100644 --- a/src/journal-remote/journal-remote-main.c +++ b/src/journal-remote/journal-remote-main.c @@ -85,7 +85,7 @@ static int spawn_child(const char* child, char** argv) { if (pipe(fd) < 0) return log_error_errno(errno, "Failed to create pager pipe: %m"); - r = safe_fork("(remote)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &child_pid); + r = safe_fork("(remote)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &child_pid); if (r < 0) { safe_close_pair(fd); return r; @@ -101,8 +101,6 @@ static int spawn_child(const char* child, char** argv) { _exit(EXIT_FAILURE); } - (void) rlimit_nofile_safe(); - execvp(child, argv); log_error_errno(errno, "Failed to exec child %s: %m", child); _exit(EXIT_FAILURE); diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c index 253f41c636..64037e4fe0 100644 --- a/src/libsystemd/sd-bus/bus-socket.c +++ b/src/libsystemd/sd-bus/bus-socket.c @@ -22,7 +22,6 @@ #include "memory-util.h" #include "path-util.h" #include "process-util.h" -#include "rlimit-util.h" #include "signal-util.h" #include "stdio-util.h" #include "string-util.h" @@ -995,7 +994,7 @@ int bus_socket_exec(sd_bus *b) { if (r < 0) return -errno; - r = safe_fork_full("(sd-busexec)", s+1, 1, FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS, &b->busexec_pid); + r = safe_fork_full("(sd-busexec)", s+1, 1, FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_RLIMIT_NOFILE_SAFE, &b->busexec_pid); if (r < 0) { safe_close_pair(s); return r; @@ -1008,8 +1007,6 @@ int bus_socket_exec(sd_bus *b) { if (r < 0) _exit(EXIT_FAILURE); - (void) rlimit_nofile_safe(); - if (b->exec_argv) execvp(b->exec_path, b->exec_argv); else diff --git a/src/nspawn/nspawn-setuid.c b/src/nspawn/nspawn-setuid.c index e396d66441..5772d96b2f 100644 --- a/src/nspawn/nspawn-setuid.c +++ b/src/nspawn/nspawn-setuid.c @@ -12,7 +12,6 @@ #include "mkdir.h" #include "nspawn-setuid.h" #include "process-util.h" -#include "rlimit-util.h" #include "signal-util.h" #include "string-util.h" #include "strv.h" @@ -29,7 +28,7 @@ static int spawn_getent(const char *database, const char *key, pid_t *rpid) { if (pipe2(pipe_fds, O_CLOEXEC) < 0) return log_error_errno(errno, "Failed to allocate pipe: %m"); - r = safe_fork("(getent)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); + r = safe_fork("(getent)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &pid); if (r < 0) { safe_close_pair(pipe_fds); return r; @@ -44,8 +43,6 @@ static int spawn_getent(const char *database, const char *key, pid_t *rpid) { (void) close_all_fds(NULL, 0); - (void) rlimit_nofile_safe(); - execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env); execle("/bin/getent", "getent", database, key, NULL, &empty_env); _exit(EXIT_FAILURE); diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c index f5283f9df4..7ed2cce76b 100644 --- a/src/shared/exec-util.c +++ b/src/shared/exec-util.c @@ -20,7 +20,6 @@ #include "missing_syscall.h" #include "path-util.h" #include "process-util.h" -#include "rlimit-util.h" #include "serialize.h" #include "set.h" #include "signal-util.h" @@ -43,7 +42,7 @@ static int do_spawn(const char *path, char *argv[], int stdout_fd, pid_t *pid, b return 0; } - r = safe_fork("(direxec)", FORK_DEATHSIG|FORK_LOG, &_pid); + r = safe_fork("(direxec)", FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &_pid); if (r < 0) return r; if (r == 0) { @@ -55,8 +54,6 @@ static int do_spawn(const char *path, char *argv[], int stdout_fd, pid_t *pid, b _exit(EXIT_FAILURE); } - (void) rlimit_nofile_safe(); - if (set_systemd_exec_pid) { r = setenv_systemd_exec_pid(false); if (r < 0) @@ -493,7 +490,7 @@ int fork_agent(const char *name, const int except[], size_t n_except, pid_t *ret r = safe_fork_full(name, except, n_except, - FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_CLOSE_ALL_FDS|FORK_REOPEN_LOG, + FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_CLOSE_ALL_FDS|FORK_REOPEN_LOG|FORK_RLIMIT_NOFILE_SAFE, ret_pid); if (r < 0) return r; @@ -537,8 +534,6 @@ int fork_agent(const char *name, const int except[], size_t n_except, pid_t *ret } } - (void) rlimit_nofile_safe(); - /* Count arguments */ va_start(ap, path); for (n = 0; va_arg(ap, char*); n++) diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 6d47a2a49d..ec4ad30824 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -23,7 +23,6 @@ #include "parse-util.h" #include "path-util.h" #include "process-util.h" -#include "rlimit-util.h" #include "signal-util.h" #include "stdio-util.h" #include "string-util.h" @@ -811,7 +810,7 @@ int udev_event_spawn( log_device_debug(event->dev, "Starting '%s'", cmd); - r = safe_fork("(spawn)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); + r = safe_fork("(spawn)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &pid); if (r < 0) return log_device_error_errno(event->dev, r, "Failed to fork() to execute command '%s': %m", cmd); @@ -820,7 +819,6 @@ int udev_event_spawn( _exit(EXIT_FAILURE); (void) close_all_fds(NULL, 0); - (void) rlimit_nofile_safe(); DEVICE_TRACE_POINT(spawn_exec, event->dev, cmd);